Re: linux-next: add utrace tree

[tytso]

On Sat, Jan 23, 2010 at 09:04:56PM -0800, Linus Torvalds wrote:
  The killer app for this will be the ability to delete thousands of
  lines of code from GDB, strace, and all the various other tools that
  have to painfully work around the major interface gotchas of ptrace(),
  while at the same time making their handling of complex processes much
  more robust.
 
 No. There is absolutely _no_ reason to believe that gdb et al would ever 
 delete the ptrace interfaces anyway. 

More to the point, gdb *couldn't* use utrace, because utrace only
exports a kernel API; not a syscall interface.  And if the Red Hat
Toolchain folks are thinking about encouraging gdb to start creating
out-of-tree kernel modules, so that (a) gdb requires root privs, and
(b) gdb is as (un)stable as SystemTap with respect to development
kernels by making it dependent on internal kernel API's, the Red Hat
Toolchain group needs to be smacked upside the head...

   - Ted

Re: linux-next: add utrace tree

[tytso]

On Sun, Jan 24, 2010 at 08:42:13PM -0500, Kyle Moffett wrote:
 
 Personally I don't give a flying  about SystemTap; I'm interested
 in things like the ability to stack gdb with strace, the RFC gdb-stub
 posted a week ago, etc.  None of those abilities would be out-of-tree
 modules at all, and therefore the quicksand analogy is specious.

Great.  So what should be reviewed is utrace *plus* these other
userland interfaces, which may get critiqued and improved, and utrace
patches can be reviewed in light of these new features.  But be
warned if it turns out that only 30% of utrace is only needed to
support gdb stacking with strace, etc., the other 70% will likely get
ejected and the utrace patches streamlined to support these in-tree
users.  But since you don't give a flying  about SystemTap,
presumably you won't mind, right?


 I would be willing to guess that something like 95% of the people
 using SystemTap or other tools are doing so on Red Hat Enterprise
 Linux or other enterprise supported platforms, and so when something
 breaks they go whinge at Red Hat, etc.  If I recall correctly Red Hat
 and many of the other vendors already heavily fiddle with kernel
 patches they apply to provide some amount of binary module
 compatibility.

Sure, but as out-of-tree modules, the best they can expect is that
most kernel developers will pretend that they don't exist.  Which is
OK, when I tried using SystemTap most of the concerns which I
expressed as being critical for kernel developers were largely ignored
(as near as I could tell) because the target market was RHEL corporate
customers, and they prioritized their resourcing accordingly --- so
they shouldn't mind if kernel developers return the favor.

But that means that we should only merge those portions of utrace that
are needed for these alleged killer new features, and only if these
new features are cool enough that they justify the new code on their
own merits.   At least, IMNSHO.

- Ted

Re: linux-next: add utrace tree

[tytso]

On Sat, Jan 23, 2010 at 06:47:29AM -0500, Frank Ch. Eigler wrote:
  What utrace does is that it provides an opaque set of APIs for
  unspecified and out of tree _kernel_ modules (such as systemtap). It
  doesnt support any 'application' per se. It basically removes the
  kernel's freedom at shaping its own interaction with debug
  application.
 
 This claim is hard to take any more seriously than emoting that the
 blockio layer is opaque because device drivers remove freedom for
 the kernel to shape its interaction with hardware.  If you have any
 *real evidence* about how any present user of utrace misuses that
 capability, or interferes with the kernel's freedom, show us please.

The fundamental issue which Ingo is trying to say (and which you
apparently don't seem to be understanding) is that utrace doesn't
export a syscall (which is an ABI that we are willing to promise will
be stable), but rather a set of kernel API's (which we never promise
to be stable), and the fact that there will be out-of-tree programs
that are going to be trying to depend on that interface (much like
Systemtap does today when it creates kernel modules) is something that
is considered on par with Nvidia trying to ship proprietary video
drivers.  

(OK, maybe not *quite* as evil as Nvidia because at least SystemTap is
open source, but the bottom line is that enabling out-of-tree modules
isn't considered a good thing, and if we know in advance that there
are out-of-tree modules, there is a strong tendency to want to nip
those in the bud.)

The reason why I avoid Nvidia hardware like the plague is because I
work on bleeding-edge kernels, and even though companies like Nvidia
and Broadcom try very hard to keep up with released upstream kernels,
#1, there is always the concern of what happens if they decide to
change that policy, and #2, invariably something will break during the
-rc1 or -rc2 stage, and then my laptop is useless for running bleeding
edge kernels.  It's one of the reasons why many kernel developers gave
up on SystemTap, because it's not something that can be trusted to be
there, and the fault is not on our changing the API's, it's on
SystemTap depending on API's that were never guaranteed to be stable
in the first place.

If you want to try to slide utrace in, such that we're able to ignore
the fact that there will be this external house that will be built on
quicksand, pointing at how nice the external house will be isn't going
to be helpful.  Nor is pointing at the ability that other people will
be able to build other really nice houses on the aforementioned
quicksand (i.e., out-of-tree kernel modules that depend on kernel
API's).

A simple code cleanup argument is not carrying the day (Look!  We
can cleanup the ptree code!).  It's going to have to be a **really**
cool in-tree kernel funtionality that provides a killer feature (in
Linus's words), enough so that people are willing to overlook the fact
that there's this monster external out-of-tree project that wants to
be depend on API's that may not be stable, and which, even if the
developers don't grump at us, users will grump at us when we change
API's that we had never guaranteed will be stable, and then Systemtap
breaks.

This is probably why Ingo invited you to think about ways of doing
some kind of safe in-kernel bytecode approach.  That has the advantage
of doing away with external kernel modules, with all of their many
downsides: its dependency on unstable kernel API's, the fact that many
financial customers have security policies that prohibit C compilers
on production machines, the inherent security risk of allowing
external random kernel modules to be delivered and loaded into a
system, etc.

  - Ted